I would like to use authentication form on every page (in the header of the page), so user could authenticated from any page.
I’m using Tomcat’s FORM based authentication, but when i go to my index page, and try to login using the form in the header, I get:
HTTP 400 - Invalid Direct Reference To Login Page
Is there any workaround I could use, some settings in web.xml maybe, to solve this problem?
Edit:
Here is the header’s login form:
<form method="post" action="j_security_check">
<input type="text" name="j_username" class="login"/>
<input type="password" name="j_password" class="login"/>
<input type="submit" value="Login"/>
</form>
The concept of Tomcat’s form based authentication is that it intercepts unauthenticated requests to protected pages and internally redirects to a separate login page. It also saves the original page request. Once the user has successfully logged in, the original page request is replayed and the protected page is displayed.
What you are trying to achieve is – as far as I can derive from your short description – something different. Basically, all your pages are public. Optionally, a user can log in and will then get personalized pages.
Tomcat won’t help you implementing this. When you use the
j_security_checkaction, it will be unable to do anything because it never intercepted a request in the first place.Instead, it’s probably easier to check the username and password yourself if the login form is submitted. If they are okay, just put the username into your session data. An authenticated session can easily be recognized as it contains the username in the session data.
There is probably even a way to reuse the Tomcat realms that are e.g. able to check username and password against a database. But I don’t know for sure.